Method and system for connecting manipulation equipment between operator&#39;s premises and the internet

ABSTRACT

Traffic passing between remote terminals and corporate intranets through an access server provider network can encounter security and addressing problems. Intercepting and manipulating this traffic can overcome these, as well as other problems. For such traffic that is being transported over a plurality of Network Based Tunnels (NBT), this manipulation can be performed by manipulation equipment that may reside in the access server provider&#39;s network between an Access Gateway (AGW) and a Border Gateway (BGW). The manipulation equipment may manipulate received NBT packets by parsing the original packet that is encapsulated in the NBT packet, manipulating the original packet and reconstructing the NBT packet with the manipulated data of the original packet.

RELATED APPLICATIONS

This patent application claims the benefit of the filing date of U.S.Provisional Application for Patent having Ser. No. 60/388,397 and havingbeen filed on Jun. 14, 2002 and International Application NumberPCT/IL03/00491 having an international filing date of Jun. 11, 2003,both of which are entitled METHOD AND SYSTEM FOR CONNECTING MANIPULATIONEQUIPMENT BETWEEN OPERATOR'S PREMISES AND THE INTERNET.

FIELD OF THE INVENTION

The present invention relates to mobile data communication and, moreparticularly, to a system and method for connecting ManipulationEquipment (MEq) in a Wireless Operator's Premises that supportsEnterprise Virtual Private Networks (VPN).

BACKGROUND

Conventionally, companies have networked geographically dispersedintra-corporation networks together through the use of private lines.This technique allowed for the formation of a network system that wasisolated from external networks and thus, had some level of assurancethat the network would be secure. However, when intra-corporationcommunication is conducted over the Internet, thereby taking advantageof the low cost associated with such connectivity, the enterprisecommunication is done through the use of a Virtual Private Network(VPN). The use of a VPN for such a solution results in virtuallybuilding private networks through the Internet by using the InternetProtocol (IP) facilities provided by IP networks and the facilities oflower layer protocols below the IP. This art enables building a safenetwork that is isolated from external networks and can provide qualityassurance service of any level, even through the Internet.

Today, the workforce continues to migrate towards mobility and thus, therequirements for employees to have remote data access generates anincreasing need for communication through Mobile VPNs (MVPN) that arespread over wire line networks and wireless data networks. A MVPN mayuse a combination of data packets, radio protocols on the mobile side(dynamic side) and tunneling protocols on the plane side (fix side,static side). A static tunnel between the wireless operator's premisesand the intranet of a corporation, connecting through the InternetService Provider (ISP), is called a Network Based Tunnel (NBT). Anexemplary NBT may be a “Compulsory Tunnel” (CT). Throughout thisdescription, the terms Network Based Tunnel and Compulsory Tunnel may beused interchangeably and/or have the same meaning. An exemplary protocolfor packet communication over wireless data networks is the GeneralPacket Radio Service (GPRS). Other wireless protocols may include, butare not limited to, HDR (High Data Rate), CDPD (Cellular Digital PacketData), etc., as well as others not listed.

An NBT may be used by multiple peers of the same corporation and may beactive even without any current transportation. The NBTs are based onprotocols such as, but not limited to, the IPSec, LSP/IPSec, L2TP, GRE,IEEE 802.1Q (VLAN Tagging, or VLAN TAG, both terms are usedinterchangeably herein), IP over IP protocols, as well as otherprotocols not listed. The wireless operator has an Access Gateway (AGW),which converts NBT traffic coming through the Internet, or over a directconnection from the corporation's intranet, via a Border Gateway (BGW),into an appropriate wireless protocol and vice-versa. One example of anAccess Gateway is the Gateway GPRS Support Node (GGSN). Another exampleof an Access Gateway is a Packet Data Serving Node (PDSN) such as thoseused in CDMA2000 Radio Access Network (RAN).

In intra-corporation networks, private IP addresses are often used. IPaddresses are divided into public IP addresses and private IP addresses.Public IP addresses are globally defined unique addresses, whereasprivate IP addresses can be freely defined by a corporation. Thus, it isdesirable for private IP addresses to be used when corporations use VPNservice. If a plurality of VPNs are employed, and private IP addressesare used over the VPNs, it is possible that a private IP address used inone VPN is also used in another VPN during the same time over thewireless operator network.

To improve services, an operator may want to add Manipulation Equipment(MEq) that operates to interrupt the communication between a remoteclient and its final destination, and then perform some manipulation onthe data. An exemplary MEq may be a personalization server that operatesto add personal banners to the communication being directed towards theremote client. Another exemplary MEq may be a front-end content serversuch as the MS Exchange Server. Other MEq may operate to improve thespeed of the communication and reduce the volume of data over thewireless lines. Generally, the MEq is located between the Access Gatewayand the Border Gateway or Router. An MEq may manipulate the data ininternal layers, such as: the Transport layer (TCP), in the applicationlayer (HTTP, MAPI etc.) and in the content (html, gif etc.). Within thecontext of this description, the terms manipulation, optimization andacceleration may be used interchangeably and at times, may have the samemeaning.

In the case of using a VPN, the communication between the Access Gatewayand the Border Gateway is done through an NBT. Therefore there is a needto break the NBT at the input to the MEq and reconstruct (re-tunnel) thetunnel at the output of the MEq. Moreover, the tunnel between theoperator's network and the corporation's intranet(s) may comprises aplurality of connections from a plurality of mobile peers, some of themmay use the MEq and others may not. Furthermore, the communicationfrom/to a client using the MEq may contain information that is nothandled by the MEq. These are some of the difficulties that a system,which splits the NBT, needs to overcome in re re-constructing, orre-tunneling, the tunnel. In addition to these difficulties, the datathat returns from the MEq may be different than the data that was sentto the MEq.

The transportation over the VPN may be protected by mechanisms such asRemote Authentication Dial In User Service (RADIUS) in the planesection. Another mechanism may be to encrypt the data flow. Thesemethods operate to protect the confidentiality of the connection. Thesplitter system, which reads, processes and manipulates thetransportation, needs to inter-operate with these methods.

Therefore there is a need for a system and a method for splitting aplurality of VPN tunnels, in between the Access Gateway in theoperator's network and a plurality of corporate intranets over a datanetwork (like the Internet or via private connection), decrypting thedata, redirecting the data to a manipulation server, manipulating thedata, receiving the manipulated data, encrypting the manipulated dataand reconstructing the appropriate tunnels (re-tunneling) again.

SUMMARY OF THE INVENTION

The present invention provides a system and a method that enablesmanipulation of data in an Access Service Provider network. Themanipulation is done while the data is transported over a plurality ofNetwork Based Tunnels (NBT) between a remote client (for example awireless client) and the intranet of the client's corporation. Thesystem may reside in the Access Server Provider's network between theAccess Gateway (AGW) and the Border Gateway (BGW). The present inventionmay manipulate transportation between a remote client and its corporateintranet by parsing the packet of the NBT, transferring the originalpacket, the packet that is encapsulated in the NBT packet, to the MEq,manipulating the original packet and reconstructing the NBT packet withthe manipulated data. The present invention is operative in bothdirections.

Other features and advantages of the present invention will becomeapparent upon reading the following detailed description of theembodiments with the accompanying drawings and appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 a is a block diagram of general intra-corporation communicationbetween remote peers and their corporate intranet.

FIG. 1 b is a block diagram of intra-corporation communication betweenremote peers and their corporate intranet, while the Access Provider isusing GPRS network.

FIG. 2 is a block diagram illustrating the employment of modificationequipment within the network topology embodiment shown in FIG. 1 a.

FIG. 3 is a block diagram of an exemplary MEq Farm 210 that could beemployed in the exemplary embodiment illustrated in FIG. 2.

FIG. 4 is a block diagram illustrating another exemplary embodiment ofan MEq Farm.

FIGS. 5 a and 5 b are flow charts that illustrate an exemplary methodthat maybe used by an IF Server Module (FIG. 3) for handling packetscoming from an AGW (FIG. 2).

FIGS. 6 a and 6 b are flow charts that illustrate an exemplary methodthat may be used by an IF Module (FIG. 3) for handling packets comingfrom a BGW (FIG. 2).

DETAILED DESCRIPTION OF THE INVENTION

Referring now to the drawings, in which like numerals refer to likeparts throughout the several views, exemplary embodiments of the presentinvention are described.

FIG. 1 a is a block diagram of intra-corporation communication betweenmobile peers and their corporate intranet. A communication system 100,which uses tunnels between the Access Provider Network (APN) 1150 andthe corporate intranet, has been selected as an exemplary environmentthat is suitable for implementing the present invention. Thecommunications system 1100 may be a cellular data communication network,satellite networks, access networks, Internet Service Provider (ISP), orother type of network or communication system. Within the context ofthis description, the terms cellular, satellites, wireless, and ISP maybe used interchangeably and at times, may have the same meaning.

A plurality of remote terminals, 1110 a-1110 n, are connected via datalinks 1120 to an Access Gateway (AGW) 1158 within the Access ProviderNetwork 1150. The connection between the remote terminals 1110 a-1110 nand the APN 150 may be via intermediate nodes (such as a base stationetc,) not shown in FIG. 1 a. The remote terminals 1110 a-1110 nrepresent any devices that can communicate data over a data networkusing an Internet Protocol, including but not limited to: laptopcomputers, palm computers, cellular phones or the like. By way ofexample, FIG. 1 a illustrates the use of three terminals; however, thoseskilled in the art will realize that any number of terminals could beused in this system.

The AGW 1158 acts as an access gateway. It provides foreign agentsupport and packet transport for virtual private networking. It alsoacts as an Authentication, Authorization, and Accounting (AAA) agent forthe remote client. AGW 1158 may be a Remote Access Server (RAS), GGSN orPDSN or any other similar node. The AGW 1158 is the gateway between thenetwork system of the wireless operator and the external data network,which may be the Internet 1160 and/or the corporate intranets 1170 thatmay be connected directly to the operator's premises 1162 k or via theInternet 1160. The AGW 1158 performs the following operations in theuplink direction:

-   -   (a) the AGW 1158 terminates the connection from remote terminals        1110 and initiates the setup of an NBT 1162 to the appropriate        corporate intranet 1170 a-1170 k through Border Gateway (BGW)        1159;

(b) the AGW 1158 routes the appropriate packets received from a remoteclient to the appropriate NBT 1162 of his/her corporation;

-   -   (c) the AGW 1158 may send via the same NBT 1162, packets of        different users that belong to the same corporation.

The AGW 1158 performs the following operations in the downlinkdirection:

-   -   (a) the AGW 1158 terminates the NBT 1162 and forwards packets to        the remote clients 1110 a-1110 n and 1115; and    -   (b) the AGW 1158 receives through the same tunnel 1162 packets        with destination addresses of different remote clients 1110 of        the same corporation.

By way of example, three corporate intranets 1170 a-1170 k areillustrated, however, those skilled in the art will realize that anynumber of corporate intranets 1170 could be included.

From AGW 1158, the traffic through the NBT 1162 is transferred via aBorder Gateway (BGW) 1159 that routes each NBT to the appropriatecorporate intranet 1170. Within this description, the terms BGW and theBorder Router may be used interchangeably.

Traffic from private remote user 1115 not belonging to any of thecorporations or not intended for a corporate intranet, follows the paththrough the wireless connection 1120 to AGW 1158, BGW 1159, the Internet1160 and finally to public web sites 1180 via common IP connections 1182to its final destination and not via any of the NBT 1162. The IPconnection 1182 may include, but is not limited to, TCP, UDP and others.

FIG. 1 b is a block diagram of intra-corporation communication betweenmobile peers and their corporation while the Access Provider is using aGPRS network. A cellular system 100 based on the GPRS protocol has beenselected as an exemplary environment that is suitable for implementingan embodiment of the present invention. However, the present inventionis not limited to any particular cellular communication system, butrather, any other communications system using tunnels may be employed.Such other communication systems include, but are not limited to,communication over: satellites networks, PSTN (Public Switched TelephoneNetwork), ISDN (Integrated Services Digital Network) lines or the like.

A plurality of laptop computers (110A5, 110C5, 110B2, 110B7 and 110A3)are connected via cellular connections 120 to a plurality of BaseStations (BS) 130 a-130 n. The laptop computers 110 represent anyportable devices that can communicate data over a wireless network usingan Internet Protocol, such as but not limited to, palm computers,cellular phones or the like. By way of example, three laptop computers110 are shown as connected to each BS 130, however, those skilled in theart will realize that any number of laptop computers 110 can beconnected. Also, by way of example, two BS 130 are connected to theoperator's premises; however, those skilled in the art will realize thanany number of BSs could be used. BS 130 may be connected via a VWB (VeryWide Bandwidth) connection 140 to the operator's premises 150. The VWBconnection may be a Frame Relay, ISDN, ATM, Fiber optic connection orany other appropriate connection.

The connection of the BS 130 to the operator premises 150 is terminatedat System GPRS Support Node (SGSN) 152 a to 152 k. The SGSN isresponsible for the mobility management; session management;authentication procedures; and routing the packets downlink to theappropriate BS 130 and sending the packets uplink via GTP tunnels 154 aand/or 154 k to the appropriate Gateway GPRS Support Node (GGSN) 158.GPRS Tunneling Protocol (GTP) tunnels run over IP-based Networks, in thewireless operator's premises between the SGSN 152 and the GGSN 158. Byway of example, two SGSNs 152 in the operator's premises are shown;however, those skilled in the art will realize that any number of SGSNs152 can be utilized. Each SGSN 152 may be connected to more than oneGGSN 158, which may be located in another operator's premises (notshown).

The GGSN 158 is the Access Gateway between the GPRS Network System ofthe wireless operator and the external data network, which may be theInternet 160 and/or the corporate intranets 170 that may be connecteddirectly to the operator's premises 150 (not shown in the drawing) orvia the Internet 160.

The GGSN 158 performs the following tasks in the uplink direction:

-   -   (a) the GGSN terminates the GTP tunnels from SGSN 152 and        initiates CTs 162 to the appropriate corporate intranet via        Border Gateway (BGW) 159;    -   (b) the GGSN routes the appropriate packets received from a        mobile client to the appropriate CT of his/her corporation; and    -   (c) the GGSN 158 may send, via the same CT 162, packets        originating from users that belong to the same corporation that        are received via the same BS 130 or a different BS.

The GGSN 158 performs the following tasks in the downlink direction:

-   -   (a) the GGSN 158 terminates the CT 162 and forwards the packets        over the GTP tunnels to the appropriate SGSN 152;    -   (b) the GGSN 158 receives via the same tunnel 162, packets with        destination addresses of clients, who are currently connected to        different BSs 130; and    -   (c) the GGSN 158 routes the packets via the appropriate GTP        tunnels to the appropriate SGSN 152.

From GGSN 158, the CT 162 are transferred via the Border Gateway (BGW)159 that routes each CT to the appropriate corporation. The terms BGWand the Border Router may be used interchangeably throughout thisdescription.

As illustrated in FIG. 1 b, two users (110B2 and 110B7) associated withCorporation B, 170 b, and one user (110A3) associated with Corporation A170 a are connected via BSa 130 a, VWB 140 a and SGSNa 152 a, to theoperator's premises 150. Please note that the identification numbers forthe users utilize a letter (i.e. ‘A’ & ‘C’) to indicate the corporationthat they are associated with, and a digit (i.e., 1-7) to indicate theprivate IP address of the remote client. Two users having the sameprivate IP address (No. 5, 110A5 and 110C5), are connected via BSn 130n, VWB 140 n and SGSNk 152 k to the operator's premises 150. Howevereach of these two users is associated with a different corporation,Corporation A and Corporation C, respectively. Although in FIG. 1 b,each SGSN 152 is connected to a single BS 130, each SGSN 152 maybeconnected to a plurality of BSs 130.

From SGSN 152 to GGSN 158 the data travels via GTP tunnel 154. Each suchtunnel may carry data of different users and different BSs 130. The GGSN158 terminates the GTP tunnels 154 and generates CTs 162. Thus, a CT isgenerated for each corporation (tunnels 162 a, 162 b and 162 cconnecting to corporation 170 a, 170 b and 170 c, respectively). Thetransportation between user 110A3 and corporation 170 a is done via: BSa 130 a, VWB 140 a, SGSNa 152 a, GTP tunnel 154 a, GGSN 158 and CT 162 avia BGW 159. The transportation between user 110A5 and corporation 170 ais done via: BSa 130 n, VWB 140 n, SGSNk 152 k, GTP tunnel 154 k, GGSN158 and CT 162 a, BGW 159. etc. This present configuration oftransportation paths is a momentary situation and can change as the usermoves from one cell to the other.

Traffic from a cellular user that is not associated with any of thecorporations is transported via the BS 130, VWB 140, SGSN 152, GGSN 158and BGW 159 to the Internet via a common IP connection, like but notlimited to, TCP, UDP etc., to its final destination and not via a CT.

FIG. 2 is a block diagram illustrating the employment of modificationequipment within the network topology embodiment provided in FIG. 1 a.In general, FIG. 2 illustrates the communication between remote userswith their plane destination. The remote terminals 1110 a to 1110 n maybelong to mobile peers that communicate with their corporations (1170 ato 1170 k) via system 200 or private remote terminals 1115 thatcommunicate with public web sites 1180. System 200 employs the use of aManipulation Equipment Farm 210 (MEq) that is operating in accordancewith an exemplary embodiment of the present invention.

An exemplary embodiment of the MEq 210 intercepts traffic beingcommunicated between the operator premises 1150 and a corporation 1170.The MEq 210 receives all the packets that are flowing between the AccessProvider Network 1150 via AGW 1158 and the BGW 1159 to the Internet 1160and to corporate intranets 1170. In one exemplary embodiment, the MEq210 may be configured as the default gateway for both sides of theAccess Provider Network 1150, (i.e., for AGW 1158 and for the BGW 1159).In another exemplary embodiment, the MEq 210 may physically residebetween the AGW 1158 and the BGW 1159. In both cases, the MEq 210 may betransparent to both sides of the NBT 1162 or to the IP connection 1182.

Other exemplary embodiments may use the IP address of the MEq 210 as thenext hop address of the AGW 1158 (GRE Proxy). In such an embodiment, theMEq 210 terminates the NBT for both sides, for AGW 1158 and for thecorporate intranet 1170. The destination address of the packets from AGW1158 to the corporate intranet 1170 is the IP address of the MEq 210 andthe source IP address of the packets from the MEq 210 to the corporationis the IP address of the MEq 210.

FIG. 3 is a block diagram of an exemplary MEq Farm 210 that could beemployed in the exemplary embodiment illustrated in FIG. 2. The MEq 210may include, but is not limited to, the following logical modules:

-   -   AGW Interface module (AGWIF) 310,    -   BGW Interface module (BGWIF) 320,    -   MEq Interface and Dispatcher module (MEqIF) 330, and    -   a plurality of Virtual MEq Servers (VMEqS) 350 a to 350 n.

Other embodiments may have other combinations of modules. For example,in one embodiment, the MEq Interface and Dispatcher module (MEqIF) 330may be divided into two logical modules: MEq Interface module andDispatcher module. Each logical module within the MEq 210 may be asoftware module or hardware module. All the modules may reside in onelogical entity or may be spread over several logical entities that areconnected over a LAN or by some other means. A logical entity may be acomputer. The number of computers employed depends, at least in part, onthe traffic at the operator's premises 1150. The system is scalable andmay be upgraded when needed.

The MEq 210 can be viewed as having two major modules or modulegroupings. These major modules include the Interface module (IF module)303 and the MEq Server module 307. Each of these major modules mayreside in a different computer or in more than one computer. Inaddition, each major module may be manufactured by different or multiplevendors. The operation of an exemplary MEq 210 is disclosed below inreference with the direction of the packets.

Uplink Operation

Following is a description of the operation of an exemplary MEq 210 inuplink operation. In the uplink direction, all of the traffic from AGW1158 (FIG. 2) to the Internet 1160 (FIG. 2) reaches MEq 210 as disclosedabove in conjunction with FIG. 2. Traffic arriving at the MEq 210 viaconnection 215 first arrives at the AGWIF 310 Logical module. Amongother things, the AGWIF 310 may check the encapsulation IP header (theheader of the NBT packet) of each received packet to determine whetherthe packet belongs to a corporate intranet 1170 that is a user of theMEq 210. If the AGWIF 310 determines that a packet belongs to such acorporate intranet 1170, the AGWIF 310 transfers the packet overconnection 313 to the MEqIF logical module 330 for manipulation.However, if the AGWIF 310 determines that the packet does not belong toa corporate intranet 1170 that is a user of the MEq 210, then the AGWIF310 transfers the packet, as is, over connection 317 to the BGWIFlogical module 320.

It should be noted that the operation of the AGWIF 310 depends on thetopology of the MEq 210. If the topology is transparent, the sourceaddress of each received packet is the IP address of the AGW 1158 (FIG.2) and the destination address is the address of the intended corporateintranet 1170, or any other destination address. Therefore, in anexemplary embodiment, the AGWIF logical module 310 may have a table ofall the corporate intranets 1170 that are users of the MEq 210. Based ona comparison of the destination address with the contents of this table,the AGWIF 310 determines whether the packet will be transferred to theMEqIF 330 or to the BGWIF 320.

If the topology of the MEq 210 is such that it is terminating thetunnel, the source address of each received packet is the IP address ofAGW 1158 but the destination address is the IP address of MEq 210. Inthis embodiment, the AGWIF 310 processes the header of the originalpackets to determine whether the destination address is the IP addressof the MEq 210 or one of the VMEqS 350.

The tunneling protocol between the operator's premises 1150 and thecorporate intranet 1170 may use an IP over IP protocol (such as RFC 1241and RFC 1479) or a GRE protocol (such as RFC 1701, RFC 1702 and RFC2784), an IEEE 802.1 Q protocol (such as VLAN Tagging) or any similarprotocol.

In other exemplary embodiments that utilize a clientless MEq option, theAGWIF logical module 310 may run an additional filter in the decision ofwhether to transfer the packet to the MEqIF 330 or the BGWIF 320. Thisfilter may be based on the type of the packet. For example, if thepacket is based on TCP/IP, then the packet may be transferred to theMEqIF 330 although the client doesn't have the client's side of the MEq210 software. This particular exemplary embodiment is described indetail in conjunction with FIG. 5.

The MEqIF 330 receives packets that may require manipulation by the MEq210, over connection 313. The MEqIF 330 processes the header of theoriginal packet to determine whether the packet requires manipulationsof the MEq Module to be conducted by the MEq Server module 307. Thisdetermination may be based, at least in part, on the destination addressof the original packet.

If the destination address of the original packet is the IP address ofthe MEq 210, which means that the packet is a control packet. Forinstance, such a packet may be a request from a new remote client tostart a new connection using the MEq 210. Then MEqIF 330 checks whetherthe corporation to which the new client belongs already has beenassigned to one of the plurality of VMEqS 350. If so, in one exemplaryembodiment, the MEqIF 330 may define a Source Ports Range Numbers (SPRN)associated with the new remote client, and instruct the appropriateVMEqS to use these source port numbers for the manipulated packets—theresults of the packets that has have arrived from this new client. Theaddress of the appropriate VMEqS and the SPRN, which defines theconnection to the client, may be used later on during reconstructing theNBT between the MEq 210 and the BGW 1159. After instructing theappropriate VMEqS 350, the original control packet is transferred to theappropriate VMEqS 350, over IP connection 355 for further processing. Ifthe corporation doesn't have a valid connection to one of the VMEqS 350,the MEqIF 330 creates a new instance—a new VMEqS that will be assignedto this corporation. This new VMEqS will have a new private IP. TheMEqIF 330 then updates the VMEqS 350 with the SPRN of the new client andtransfers the original packet to the new VMEqS 350 while keeping arecord of this packet.

If the destination address of the original packet is the IP address ofone of the VMEqS 350 a-n, indicating that this packet belongs to anexisting connection between the remote client and the MEq 210, then theoriginal packet is transferred to the appropriate VMEqS 350 over IPconnection 355. The MEqIF 330 keeps a record of this transfer in across-reference table. This record is used upon receiving themanipulated packet from the appropriate VMEqS 350 a-n. The packet to betransferred to the appropriate VMEqS 350 a-n has the source IP addressof the client and the destination IP address of the appropriate VMEqS350 a-n. The record in the cross-reference table may include thedestination address of the corporation, the IP address of the remoteclient (which may be a Private IP address of the client in itscorporation), the IP address of the appropriate VMEqS 350 and the SPRNthat has been assigned to this client in the VMEqS that has beenassigned to the appropriate corporation. This data may be used whenreconstructing the NBT in both directions.

Alternate exemplary embodiment may use a proprietary protocol overTCP/IP in order to communicate over connection 355, between the MEqIF330 and the plurality of VMEqS 350 a-n. In such embodiment the firstpacket that initiate a connection between the MEqIF 330 and one of theVMEqS 350 a-n may contain information regarding the NBT that is handledby the VMEqS via this connection.

The access to the cross-reference table may be based on the type ofconnection 355 between MEqIF 330 and the plurality of VMEqS 350 a to 350n. For example, an embodiment of the present invention may have aplurality of VMEqS 350 a-n, wherein each VMEqS 350 may serve acorporation and each client of this corporation may receive a differentsource port range of numbers (SPRN). Therefore, in this exemplaryembodiment, the access record in the cross-reference table for packetscoming from the VMEqS 350 a-n and being directed towards the BGW 1159,may be the IP address of the VMEqS 350 and the SPRN. For the respondingpackets coming from BGWIF 320, the access record in the cross-referencetable for packets may be the IP address of the corporation (whichdefines the VMEqS) and the destination port number that defines theremote clients, verifying that it belongs to one of the ports in theSPRN that has been assigned to this client.

If the destination address in the original packet is not the IP addressof either the MEq 210 or of one of the VMEqS 350 a-n, then the MEqIF 330transfers the packet over connection 337 to BGWIF 320. In otherexemplary embodiments, which utilize a clientless MEq option, the MEqIF330 logical module may run an additional filter in the decision ofwhether to manipulate the packet. This filter may be based on the typeof the packet. For example, if the packet is based on TCP/IP, then thepacket may be transferred to one of the VMEqS 350, which handlesclientless traffic. A clientless VMEqS may handle traffic from terminalsthat do not have the MEq client software installed. More informationabout this method is disclosed below in conjunction with FIG. 5.

The MEqIF 330 receives the manipulated packet from the plurality ofVMEqS 350 a-n via IP connection 355. Each such packet has the sourceaddress of the appropriate VMEqS 350 a-n with the source port numberbeing within the range of the SPRN that is associated with the remoteclient and the destination address of the final entity in thecorporation or in the Internet. Upon receiving a manipulated packet, theMEqIF 330 retrieves the appropriate record of this packet from thecross-reference table based, at least in part, on the IP address of theappropriate VMEqS 350 a-n and the SPRN. Based on this information, theMEqIF 330 restores the NBT header with the source address of the AGW1158 (FIG. 2) and the destination address of the corporation router orthe site in the Internet. The MEqIF module 330 also reconstructs theinternal packet and sets the source IP address to the remote client IPaddress and the destination address to the corporate or the Internet IPaddress. Then MEqIF 330 transfers the NBT packet over the connection 337to BGWIF 320.

Other exemplary embodiment, which may be used in operator premises 1150(FIG. 2) that is using VLAN TAG (802.1Q) as the NTB protocol, maytransfer the TAG information in the first packet of each new connectionover communication lines 355 between the MEqIF 330 and the appropriateVMEqS 350. The MEqIF 330 may keep this information (the TAG) in thecross-reference table as one of index parameters for the entry of thisconnection in the cross-reference table and uses it to restore theappropriate NBT for the manipulated packets that are received from theappropriate VMEqS 350.

Internally to the MEq 210, the BGWIF 320 receives untouched packets viaconnection 317 from the AGWIF 310 and manipulated packets via connection337 from the MEqIF 330. If a packet is received via connection 317, theBGWIF 320 transfers the packet, as is, without any manipulations, to theBGW 1159 (FIG. 2) through communication path 217. If the packet has beenreceived via connection 337 from the MEqIF 330 and if the topology ofthe MEq 310 is of the transparent type, the BGWIF 320 transfers thereceived packet, as is, to the BGW 1159 over communication path 217. Thesource address of such a packet is the AGW and the destination addressis the IP address of the router of the corporation.

If the packet has been received via connection 337 from the MEqIF 330and the topology of the MEq 310 is the terminating topology, the BGWIF320 changes the address in the header of the NBT packet by changing thesource address to the IP address of the MEq 210 and the destinationaddress to the IP address of the corporation router, which has beenconfigured into the BGWIF 320 during the installation procedure.

Downlink Operation

Following is a description of the operation of an exemplary MEq 210 indownlink operation. In the downlink direction, packets received from theInternet 1160, or directly from a corporation intranet, such as 1170 k,reach the operator's premises 1150 via BGW 1159 (FIG. 2). These packetsare transferred to the MEq 210 over communication path 217 and arereceived by the BGWIF logical module 320. The BGWIF 320 performs similartask as the AGWIF 310 when it receives packets in that it sorts thereceived packets into two groups, packets that may be manipulated by theMEq 210 and untouchable packets. The BGWIF 320 checks the encapsulationIP header (the header of the NBT) of each received packet, or the TAG incase that the NBT is based on VLAN TAG (802.1Q), and determines whetherit should be manipulated by the MEq 210. This decision may be based, atleast in part, on searching the source address of the NBT packets in thelist of the IP addresses of the routers of the corporations that arecurrently communicating with one of the VMEqS 350. This search is donein a copy of the updated cross-reference table, which is delivered fromthe MEqIF 330.

In alternate exemplary embodiment, in which the communication is basedon VLAN TAG, the tag is used in the cross reference table instead of thesource address of the NBT packet.

In other exemplary embodiments, the BGWIF 320 may process the header ofthe original packet and check whether the destination address of theoriginal packet belongs to one of the VMEqS 350. If so, the BGWIF 320then transfers the packet over connection 337 to the MEqIF 330.Otherwise, the BGWIF 320 transfers the packet, as is, over connection317 to the AGWIF 310.

In other exemplary embodiments that utilize a clientless MEq option, theMEqIF logical module 330 may run an additional filter in the decision ofwhether to manipulate the packet. This filter may be based, at least inpart, on the type of the packet. For example if the packet is based onTCP/IP, then the packet may be manipulated and therefore it istransferred to a VMEqS that handles clientless traffic.

An exemplary MEqIF 330 may process the header of the original packet.This process may involve checking the destination address and thedestination port number. If the destination address is the IP address ofone of the plurality of VMEqS 350, which indicates that this packetbelongs to an existing connection between a remote client and the MEq210, then the original packet is transferred to the appropriate VMEqS350 over IP connection 355. Then the present invention may determine towhich SPRN the destination port number fits. The appropriate SPRNindicates which client is the final destination for this packet. TheMEqIF 330 keeps a record of this packet in the cross-reference table.

This record includes the IP address of the router of the corporation andthe private IP address of the client. This record is used whenreconstructing the NBT after the manipulation of the appropriate VMEqS350 a-n. The packet to be transferred to the appropriate VMEqS 350 a-nhas the source IP address of the corporation and the destination IPaddress of the appropriate VMEqS 350 a-n with the DST (Destination) portnumber being in the range of the SPRN that is associated with the remoteclient.

The cross-reference table that the MEqIF 330 keeps may have the IPaddresses of all currently operating VMEqS 350, the IP address of therouter of the corporations that are associated with the VMEqS 350, theIP address (which may also be private addresses) of the remote clientsthat are associated with said the VMEqS 350 and the SPRN that isassociated with said the client.

If the destination address in the original packet is not the IP addressof one of the VMEqS 350 a-n, then MEqIF 330 transfers the packet overconnection 313 to AGWIF 310. In other exemplary embodiments, whichutilize the clientless MEq option, the MEqIF 330 logical module 310 mayapply an additional filter in the decision as to whether or not tomanipulate the packet. This filter may be based, at least in part, onthe type of the packet. For example, if the packet is based on TCP/IP,then the packet may be transferred to a VMEqS 350 that handlesclientless traffic.

The MEqIF 330 receives the manipulated packets from VMEqS 350 a-n viaconnection 355. Each packet received has the source address of theappropriate VMEqS 350. The destination address of this packet is the IPaddress of the remote client, which may be added by the VMEqS 350.

Other embodiments may use a common source port number in the directionfrom the VMEqS 350 a-n to the remote clients, since the VMEqS 350 usesthe DST address as the IP address of the remote client and the VMEqS 350private address as indicating the corporation to which the clientbelongs. These two addresses are sufficient to define the appropriateentry in the cross-reference table for reconstructing the NBT packet.

In other embodiments, in which the VMEqS 350 a-n does not have a uniqueIP address, the MEqIF 330 may use a mapping table to retunnel the NBTpacket. This mapping may be based, at least in part, on the source portnumbers. Upon receiving a manipulated packet, the MEqIF 330 retrievesthe appropriate record of this packet and restores the header of the NBTpacket. In the NBT header, the source IP address is the corporation'srouter that is associated with the VMEqS 350, and the destinationaddress is the IP address of AGW 1158. Then MEqIF 330 transfers thepacket over connection 313 to AGWIF 310.

In alternate exemplary embodiment, in which the NBT connection is basedon VLAN TAG, the tag may replace the address of the corporation routerin the NBT header.

Internally to the MEq 210, the AGWIF 310 receives untouched packets fromthe BGWIF 320 via connection 317 and manipulated packets from the MEqIF330 via connection 313. If the packet is received via connection 317,the AGWIF 310 transfers the packet, as is, over communication pathconnection 215 to the AGW 1158 (FIG. 2). If the packet has been receivedvia connection 313 and, if the topology is transparent, the AGWIF 310transfers the received packet, from the MEqIF 330, as is, to AGW 1158over communication path connection 215. The source address of such apacket is the corporation's router and the destination address is the IPaddress of the AGW 1158. If the topology is terminating topology, theAGWIF 310 changes the address in the tunnel header so that, the sourceaddress is replaced with the IP address of the MEq 210 and thedestination address is replaced with the IP address of the AGW 1158.

In alternate exemplary embodiment, in which the NBT connection is basedon VLAN TAG, the tag may replace the address of the corporation routerin the NBT header.

An exemplary embodiment of a MEq Server Module 307 may include, but isnot limited to, one or more Virtual MEq Servers (VMEqS) 350 a-350 n. TheVMEqSs 350 are created and managed by the MEqIF module 330. The MEqIF330 may generate and control a plurality of instances of the VMEqSs 350a to 350 n. Each such instance acts as a VMEqS that manipulates datacommunication.

An exemplary MEq server 307 may be from the NettGain Product FamilyLine, which is sold by Flash Networks. Such a MEq may operate toaccelerate the communication, personalize the context, serve as a frontend application server, etc. Each VMEqS is a logical entity that mayhave a private IP address. The MEqIF 330 may assign the private IPaddress. Each VMEqS 350 may serve a plurality of remote clients that areassociated with the same corporation. A unique source port range (SPRN)may be used to represent each remote client, thereby distinguishing thedifferent remote clients of a corporation that are currentlycommunicating with their corporation. The VMEqS 350 may establish atunnel connection over IP to each of the current remote clients andmaintain the connection as long as the communication with the clientexists.

In other exemplary embodiments, in which a proprietary protocol is usedover connection line 355 (FIG. 3), the functionality of the SPRN may bereplaced by a first packet that initiates the connection between MEqIF330 and the appropriate VMEqS 350 that will be associated with theremote client and its corporation. The first packet may includeinformation regarding this connection. Information that may be used torestore the NBT packet.

In an alternate exemplary embodiment, a permanent VMEqS may be assignedfor each one of the corporations that are the users of MEq 210. Otherexemplary embodiments may generate and keep alive a VMEqS for as long asthere is at least one remote client that is currently connected to it.The detailed operation of the MEq 210 is described below in conjunctionwith the flow charts of FIG. 5 and FIG. 6.

Some of the exemplary embodiments may manipulate communication toterminals that do not have client MEq software. These embodiments mayhave at least one VMEqS that handles clientless traffic. This type ofVMEqS may manipulate the data in a way that it will be transparent tothe other side of the communication, although the manipulated packet hasless data than the original packet. For example, it may re-compress JPEGfiles, as it is disclosed in PCT application number PCT/IL02/00052 andhas been published on Aug. 01, 2002 having the international publicationnumber WO02/060106, the contents of which is incorporated herein byreference. A variety of accelerating operations and the manipulationmethods can be employed by the VMEqS in various embodiments of thisinvention. And although the present invention concentrates on themethods of breaking, managing and reconstructing a plurality ofCompulsory Tunnels in a way that enables data manipulation andacceleration, the present invention should not be limited to the use ofany specific accelerating operations or manipulation methods.

FIG. 4 is a block diagram illustrating another exemplary embodiment ofan MEq Farm. This embodiment of the MEq Farm 400 is most useful wheninstalled in an operator's premises that have a high transportation ofdata between the wireless network and the Internet. The AGW 1158 (FIG.2) is connected to the MEq Farm 400 over LAN 413 and interfaces to oneor more IF Module Servers 303 a to 303 m and to a Load Balancer Server(LBS) 410. The BGW 1159 is connected to the MEq Farm 400 over LAN 416and also interfaces to the IF Module Servers 303 a to 303 m and to theLoad Balancer Server (LBS) 410. The LBS 410 may be a common LBS thatdistributes the transportation between the AGW 1158 and the BGW 1159among the IF Module Servers 303 a to 303 m. One exemplary embodiment ofLBS 410 may be a server that distributes the traffic according to thecorporations. The LBS 410 may assign a group of corporations to each oneof the IF Module Servers 303. Each one of the IF Module Servers, 303 ato 303 m, manipulates the transportation that has been associated withit as described above in conjunction to FIG. 3 and sends the appropriatepackets over LAN 423 to be further processed by additional MEq ServerModules 307 a to 307 n. Another LBS 420 is connected to LAN 423 fordistributing the traffic among the additional MEq Server Modules 307.

An exemplary embodiment of LBS 420 may also be a server that distributesthe traffic according to the corporations. The LBS 420 may assign agroup of corporations to each of the MEq Server Modules 307. Otherexemplary embodiments may use the MEqIF module as the LBS 410. Theadditional MEq Server Modules 307 a to 307 n manipulate thetransportation that has been associated with it as described above inconjunction to FIG. 3 and send back the manipulated packets over LAN 423to the appropriate IF Server Modules 303 a to 303 m. Each MEq ServerModule 307 may comprise a plurality of VMEqS 350.

FIGS. 5 a and 5 b are flow charts that illustrate an exemplary methodthat may be used by an IF module 303 for handling packets coming from anAGW. Upon receiving a packet from the AGW 1158, at step 510, the IFServer Module 303 checks whether the received packet belongs to aNetwork Based Tunnel such as a compulsory tunnel. This step is performedby checking whether it the packet is based on NBT Protocols such as“GRE”, “IP over IP”, VLAN TAG (802.1Q) etc., and thus is an NBT packet.The NBT Protocol is chosen by the Operator. Generally a single type ofNBT protocol is used at a certain operator's premises. If the receivedpacket is not an NBT packet, processing continues at point A in FIG. 5b. If the received packet is an NBT packet, at step 512 the originalpacket, the packet that is encapsulated in the NTB packet, is parsed andat step 514 it is determined whether the original packet is an IPpacket. If the original packet is not an IP packet, at step 516 the NTBpacket is transferred, as is, to the BGWIF 320 (FIG. 3). Thus, it isevident that this embodiment of the present invention accelerates onlyoriginal IP packets. Other embodiments of the present invention mayaccelerate other types of original packets and the present inventionshould not be limited to an embodiment that only works on original IPpackets. After the NBT packet is sent 516 to the BGWIF 320, andprocessing is terminated.

If at step 514 it is determined that the original packet is an IPpacket, then a decision is made at step 520 whether the DestinationAddress (DST) is the IP address of the MEq 210 (FIGS. 2 & 3). If the DSTis not the IP address of the MEq 210, this indicates that the remoteterminal does not have the client version of the manipulating software.However an exemplary embodiment may manipulate part of the clientlesstransportation, for example, TCP packets may be accelerated. Thisexemplary embodiment operates to filter this type of transportation bydetermining whether the original packet is a TCP packet at step 522. Ifthe packet is a TCP packet, the IF Module 303 assigns an SPRN that isassociated with this terminal, then the cross-reference table is updatedwith the new connection using the IP address of the terminal (it can bethe private IP address), the assigned SPRN, the IP address of thecorporate intranet and the private IP address of the clientless VMEqSthat will handle this connection. Next, the IF Module 303 instructs theappropriate VMEqS regarding the assigned SPRN and at step 528, forwardsthe packet to the appropriate clientless VMEqS 350 over connection 355(FIG. 3). After the packet is forwarded to the appropriate VMEqS 350,the processing of IF module 303 is terminated.

If at step 522 it is determined that the original packet is not a TCPpacket, then at step 526 the NBT packet is forwarded to the BGW 1159(FIG. 2) via the BGWIF 320 (FIG. 3). This exemplary embodiment of thepresent invention operates to manipulate only TCP packets; however,those skilled in the art will understand that the present inventioncould operate to manipulate other types of original packets and thepresent invention should not be limited to only performing suchoperations on TCP packets. After the NBT packet is forwarded to the BGW1159 processing is terminated.

If at step 520 it is determined that the DST address belongs to MEq 210,a decision is made at step 530 whether the DST address belongs to aVMEqS. If the DST address belongs to a VMEqS, this indicates that thecurrent packet belongs to an existing connection between the remoteclient and an appropriate VMEqS. Then at step 534, the IF Module 303updates the cross-reference table with the new packet and at step 546 itforwards the packet to the appropriate VMEqS 350, for furtherprocessing, using communication lines 355 (FIG. 3). After the packet isforwarded to the appropriate VMEqS 350, the processing of IF module 303is terminated.

If at step 530 it is determined that the DST address of the packet isnot a privet address of one of the VMEqS, processing continues at step532 where it determines whether the packet is a request of a remoteclient to use the manipulation services of MEq 210 (FIGS. 2 & 3). If thepacket is not such a request, the packet is a control packet and at step536 the MEq 210 handles the control packet. If the packet is such arequest to use the manipulation services, at step 540 it is determinedwhether the corporation, to which the remote client belongs, isassociated with an existing VMEqS 350 a-n (FIG. 3). If the corporationis associated with an existing VMEqS, at step 544 the IF Module 303(FIG. 3) defines the SPRN that will be associated with this client and,updates the cross-reference table with the new connection using the IPaddress of the client (it can be the private IP address), the assignedSPRN, the corporation IP address and the private IP address of theappropriate VMEqS that will handle this connection. At step 546, the IFModule 303 then operates to instruct the appropriate VMEqS regarding theSPRN and forwards the packet to the appropriate VMEqS 350 overconnection 355 (FIG. 3).

If at step 540 it is determined that the corporation does not have avalid VMEqS associated with it, at step 542 the IF Module 303 creates anew instance, or a new VMEqS, and assigns it to the corporation of thenew client and continues processing at step 544.

Other exemplary embodiments may define the connection with a certainremote client in the first packet of the connection with the selectedVMEqS 350 over communication 355 instead of using the SPRN.

Alternate exemplary embodiment that is used in networks, in which theNBT is based on VLAN TAG (802.1Q) protocol, the TAG information may beused to define the connection instead of the address of the router ofthe corporation.

Returning to step 510, if it is determined that the received packet isnot an NBT packet, the present invention continues at point A in FIG. 5b. At step 550 (FIG. 5 b), the received packet is examined to determinewhether the received packet is an IP packet. If the received packet isnot an IP packet, at step 552 the received packet is transferred, as is,to the BGW 115 9 (FIG. 2) via the BGWIF 320 (FIG. 3). In an exemplaryembodiment of the present invention, only IP packets are manipulated.However, it should be understood that other embodiments may manipulateother types of packets. After forwarding the received packet to theBGWIF, processing is then terminated.

If at step 550 it is determined that the received packet is an IPpacket, then at step 560 it is determined whether the DestinationAddress (DST) is the IP address of one of the VMEqS. If the DST is notthe IP address of one of the VMEqSs, the exemplary embodiment continuesat step 566 to determine if the received packet is a TCP packet and thenmay manipulate TCP packets. If the packet is a TCP packet, at step 567the present invention operates to assign an SPRN to the communicationwith this client and update the cross-reference table with the newconnection using the IP address of the client, the assigned SPRN, andthe private IP address of the clientless VMEqS that will handle thisconnection. Finally, the IF Module 303 instructs the appropriate VMEqSabout the SPRN and forwards the packet to the appropriate clientlessVMEqS 350 over connection 355 (FIG. 3). After the packet is forwarded tothe appropriate VMEqS 350, the processing of IF module 303 isterminated. If at step 566 it is determined that the received packet isnot a TCP packet, at step 568 the received packet is forwarded, as is,to the BGW 1159 (FIG. 2) via the BGWIF 320 (FIG. 3) and processing isterminated.

If at step 560 it is determined that the DST address is one of theVMEqSs, this is an indication that the current packet belongs to anexisting connection between the remote client and the appropriate VMEqS.At step 562, the IF Module 303 updates the cross-reference table withthe new received packet and at step 564, the IF Module 303 forwards thereceived packet to the appropriate VMEqS 350 for further processingusing communication lines 355 (FIG. 3). After the packet is forwarded tothe appropriate VMEqS 350, the processing of IF module 303 isterminated.

FIGS. 6 a and 6 b are flow diagrams that illustrate an exemplary methodthat may be used by an IF Module 303 (FIG. 3) for handling packetscoming from a BGW. Processing begins at step 605 upon receiving areceived packet from the BGW 1159. At step 610 the IF Module 303 checkswhether the received packet belongs to an NBT (such as a compulsorytunnel) packet, by checking whether the received packet is based on NBTProtocols, such as “GRE”, IEEE 802.1Q, or “IP over IP”, etc. If thereceived packet is not an NBT packet, processing continues at point A inFIG. 6 b. If the received packet is an NBT packet, processing continuesat step 612 where the original packet, the packet that is encapsulatedin the NBT packet, is parsed. At step 614 it is determined whether theoriginal packet is an IP packet. If the original packet is not an IPpacket, processing continues at step 632 where the NBT packet istransferred, as is, to the AGWIF 310 (FIG. 3). The exemplary embodimentonly manipulates IP packets; however, it should be understood that inother embodiments, the present invention may operate to manipulate othertypes of packets. After forwarding the NBT packet to the AGWIF 310,processing is terminated.

If at step 614 it is determined that the original packet is an IPpacket, then processing continues at step 620 where it is determinedwhether the original packet is a TCP packet. If the original packet isnot a TCP packet, processing continues at step 632 where the NBT packetis transferred to the AGW 1158 (FIG. 2) via AGWIF 310 (FIG. 3). Afterforwarding the NBT packet to the AGWIF 310, processing is terminated.

If at step 620 it is determined that the original packet is a TCPpacket, then processing continues at step 630 where it is determinedwhether this connection belongs to one of the VMEqS 350 (FIG. 3) byexamining the cross-reference table. If the connection belongs to one ofthe VMEqSs 350, this is an indication that the current packet belongs toan existing communication between a remote client and it's corporationvia the appropriate VMEqS. Then IF Module 303 proceeds at step 634 toupdate the cross-reference table with the new packet using the corporateIP address, the client private address (based on the DST ports thatindicates the port numbers range that has been assigned to a specificclient, which is derived from the SPRN that has been assigned to theremote client) and at step 636 the original packet is forwarded to theappropriate VMEqS 350, for further processing, using communication lines355 (FIG. 3). After the original packet is forwarded to the appropriateVMEqS 350, the processing of IF module 303 is terminated.

Alternate exemplary embodiment, in which the NBT is based on VLAN TAG,the tag information may be used in conjunction with the information thatis stored in the cross reference table.

If at step 630 the connection characteristic carried by this packet arenot found in the cross reference table then the processing continues atstep 632 where the NBT packet is transferred to the AGW 1158 (FIG. 2)via AGWIF 310 (FIG. 3).

Returning to the case in which the received packet is not an NBT packet610, the present invention continues to operate at point A in FIG. 6 b.At step 650 in FIG. 6 b it is determined whether the received packet isan IP packet. If the received packet is not an IP packet, processingcontinues at step 668 where the received packet is transferred, as is,to the AGW 1158 (FIG. 2) via the AGWIF 310 (FIG. 3) and processing isterminated.

If at step 650 it is determined that the received packet is an IPpacket, processing continues at step 660 where it is determined whetherthe connection belongs to one of the VMEqS 350. The decision is based,at least in part, on the cross-reference table. If the connection doesnot belong to a VMEqS 350, processing continues at step 668 where thereceived packet is transferred, as is, to the AGW 1158 (FIG. 2) via theAGWIF 310 (FIG. 3) and processing is terminated.

If at step 660 the connection does belong to a VMEqS, this indicatesthat the current received packet belongs to an existing communicationbetween the remote client and the appropriate VMEqS. At step 662, the IFModule 303 updates the cross-reference table with the new receivedpacket and at step 664 it forwards the received packet to theappropriate VMEqS 350 for further processing using communication lines355 (FIG. 3). After the packet is forwarded to the appropriate VMEqS350, the processing of IF module 303 is terminated. Since there are somenetwork security methods that may use the source port number as a filterto remove hostile communication, some embodiments of the presentinvention may convert the unique port number, which is in the range ofthe appropriate SPRN, to a common port number. These methods may use ahashing method to generate a table that keeps the parameters of thisconnection and enables converting the DST port number of the receivedpackets from the corporations before transferring them to theappropriate VMEqS. This conversion and the table may be done and used bythe BGWIF logical module 320.

The present invention is not limited to methods using a unique approachfor indicating the remote client, like but not limited to the SPRNmethod. Other exemplary embodiments of the present invention may use acommon TCP or UDP connection over IP communication line 355 between IFmodule 303 and MEq Server Module 307 (FIG. 3). In such embodiments, theVMEqS may declare the remote client IP address each time that itestablishes a TCP connection toward the BGW 1159 (FIG. 2). Such anembodiment demands a synchronization between the VMEqS and the IFmodule. Thus, when a VMEqS intends to initiate a new connection (forexample a TCP connection) toward the BGW 1159, it first sendsinformation about this connection to the IF Module 303. This informationmay include the required parameters to be used in the cross-referencetable. For example, the final DST IP number in the corporation, theVMEqS IP address as the source address, the DST port at the corporationand the source port in the VMEqS, which may be a common source port, andthe IP address of the remote client that may be its private IP addressin the corporation, tag information in case of using VLAN TAG protocol.

Some exemplary embodiments may use a clientless VMEqS for eachcorporation and one or more clientless VMEqS for remote clients that donot belong to any corporation.

In the description and claims, each of the verbs, “comprise” “include”and “have”, and conjugates thereof, are used to indicate that the objector objects of the verb are not necessarily a complete listing ofmembers, components, elements or parts of the subject or subjects of theverb.

The present invention may be implemented by any one of, or anycombination of, software, hardware, and/or firmware.

The present invention has been described using detailed descriptions ofembodiments thereof that are provided by way of example and are notintended to limit the scope of the invention. The described embodimentscomprise different features, not all of which are required in allembodiments of the invention. Some embodiments of the present inventionutilize only some of the features or possible combinations of thefeatures. Variations of embodiments of the present invention that aredescribed and embodiments of the present invention comprising differentcombinations of features noted in the described embodiments will occurto persons of skilled in the art. The scope of the invention is limitedonly by the following claims.

1. A method for manipulating the transportation of packets between asource network and IP based destination network, the method comprisingthe steps of: (a) receiving a packet from a source, the received packetbeing intended for a destination; (b) parsing the received packet toidentify the received packet as a packet that can be manipulated; (c)updating a cross-reference table, the cross-reference table enabling thereconstruction of a connection to the destination; (d) manipulating thereceived packet by sending the received packet to a manipulation module;(e) reconstructing the connection to the destination for the manipulatedpacket using the cross-reference table; and (f) transferring themanipulated packet to the destination, wherein the received packet andthe manipulated packet are transferred over network based tunnels. 2.The method of claim 1, wherein the step of manipulating the receivedpacket comprises modifying the received packet in such a way as toaccelerate the communication.
 3. The method of claim 1, wherein the IPbased data network is the Internet, and the step of parsing the receivedpacket further comprise examining the destination and source addressesof the received packet.
 4. The method of claim 1, wherein the networkbased tunnels may implemented using a protocol that belongs to a groupof protocols comprising: GRE, IP over IP, IEEE 802.1Q (VLAN Tagging) andthe step of transferring the manipulated packet comprises transferringthe manipulated packet over such network based tunnel.
 5. The method ofclaim 1, wherein the step of updating the cross-reference table furthercomprises using a source port number of the received packet coming fromthe manipulation module.
 6. The method of claim 1, wherein the step ofupdating the cross-reference table further comprises using the IPaddress of the manipulation module.
 7. The method of claim 1, whereinthe step of updating the cross-reference table further comprises usingthe IP address of the destination.
 8. The method of claim 1, wherein thestep of updating the cross-reference table further comprises using theIP address of the source.
 9. The method of claim 1, wherein themanipulation module comprises a plurality of virtual manipulationservers with each virtual manipulation server being dedicated to aparticular destination, and the step of manipulating the received packetfurther comprises sending the received packet to an appropriate virtualmanipulation server.
 10. The method of claim 1, further comprising thestep of parsing the received packet to identify the received packet as apacket that cannot be manipulated and forwarding the received packet, asis, toward the destination.
 11. A method for manipulating thetransportation of original packets transported between at least oneremote client via an access network and at least one IP based privatedata network, wherein the original packets are encapsulated in networkbased tunnel packets, and wherein the manipulation is done at the accessnetwork service provider's premises, the method comprising the steps of:transferring, at the access network service provider's premises, thetransportation between the at least one remote client and the at leastone IP based privet data network via a manipulation system; parsing areceived network based tunnel packet to determine if the receivednetwork based tunnel packet can be manipulated; forwarding the receivednetwork based tunnel packet, as is, towards a destination if thereceived network based tunnel packet cannot be manipulated; if thereceived network based tunnel packet can be manipulated: retrieving theoriginal packet out of the network based tunnel packet; updating across-reference table with parameters that associate the original packetwith the received network based tunnel packet, the cross-reference tableenabling the reconstruction of a manipulated network based tunnel packetthat will be transferred to the destination after the manipulation ofthe received original packet; manipulating the original received packet;reconstructing the manipulated network based tunnel packet with themani1pulated original received packet; and transferring the manipulatednetwork based tunnel packet to the destination over network basedtunnels.
 12. The method of claim 11, wherein the step of manipulatingthe received packet is for accelerating the communication.
 13. Themethod of claim 11, wherein the step of reconstructing the manipulatednetwork based tunnel packet with the manipulated original receivedpacket using the cross-reference table.
 14. The method of claim 11,wherein the communication between the access network and at least one IPbased privet data network is via the Internet, and the step of parsingthe received network based tunnel packet further comprises examining thedestination and source addresses of the received network based tunnelpacket.
 15. The method of claim 11, wherein the network based tunnelsmay be implemented using a protocol that belongs to a group of protocolscomprising: GRE, IP over IP, IEEE 802.1Q (VLAN Tagging).
 16. The methodof claim 11, wherein the network based tunnel is a compulsory tunnel.17. The method of claim 11, wherein the communication between the remoteclient and the access network service provider's premises is overcellular connection.
 18. The method of claim 11, wherein the step ofupdating the cross-reference table further comprises using parameters,wherein the parameters that are used for comprise a source port numberof packets coming from a manipulation module.
 19. The method of claim11, wherein the step of updating the cross-reference table furthercomprises using parameters, wherein the parameters that are used forupdating the cross-reference table comprise the IP address of amanipulation module.
 20. The method of claim 11, wherein the step ofupdating the cross-reference table further comprises using parameters,wherein the parameters that are used for updating the cross-referencetable further comprise the IP address of the at least one IP basedprivate data network.
 21. The method of claim 11, wherein the step ofupdating the cross-reference table further comprises using parameters,wherein the parameters that are used for updating the cross-referencetable further comprise the IP address of the at least one remote client.22. The method of claim 11, wherein the manipulation system comprises aplurality of virtual manipulation servers with each virtual manipulationserver being dedicated to one IP based private data network, and thestep of manipulating the received original packet further comprisessending the received original packet to an appropriate virtualmanipulation server.
 23. A system for manipulating the transportation oforiginal packets transported between at least one remote client via anaccess network and at least one IP based private data network, whereinthe original packets are encapsulated in network based tunnel packets,and wherein the system is at the access network service provider'spremises, the system comprising: an access gateway interface module forreceiving network based tunnel packets from, and sending network basedtunnel packets toward the at least one remote client via an accessgateway; a border gateway interface module for receiving network basedtunnel packets from, and sending network based tunnel packets toward theat least one IP based private data network via a border gateway; amanipulation module for manipulating the original packets that areencapsulated in the network based tunnel packets; a manipulationequipment interface module, interfacing to the access gateway interfacemodule and the border gateway interface module and the manipulationmodule and that is operable to receive network based tunnel packetsfrom, and send network based tunnel packets to the access gatewayinterface and the border gateway interface modules; the manipulationequipment interface being further operable to manipulate receivednetwork based tunnel packets by retrieving an original packet, sendingthe retrieved original packet to the manipulation module, receiving amanipulated packet that is the result of the manipulation of theoriginal packet, reconstructing the network based tunnel packet byinstalling the manipulated original packet and forwarding thereconstructed network based tunnel packet to either the access gatewayinterface or the border gateway interface.
 24. The system of claim 23,wherein the network based tunnel may be implemented using a protocolthat belongs to a group of protocols comprising: GRE, IP over IP, IEEE802.1Q (VLAN Tagging).
 25. The system of claim 23, wherein themanipulation module further comprises a plurality of virtualmanipulation servers, wherein each virtual manipulation server isdedicated to processing traffic for one IP based private data network.26. The system of claim 23, wherein the manipulation module furthercomprises a plurality of virtual manipulation servers that areautomatically initiated.
 27. The system of claim 23, wherein the accessgateway interface module maintains a table of all destinations that areusers of the manipulation equipment.